30 replies to this topic

[JoeGons]

Hi, I’ve tried several searches here for this topic. No luck. My computer is running normally but..... My Sygate Firewall reported CPAX20 (alg.exe) trying to “call out”. Remote Name : www.sorn-soft.com Remote Address : 72.29.77.243 After several web searches I found agl.exe is supposed to be Application Layer Gateway Service which is a Windows Service. The location just did not look right. C:\Program Files\Common Files\alg.exe Adaware says it is a Win32.Backdoor.Agent. SornSoft seem to make some very suspicious software. CPAX2.exe SornSoft Question: Should I look further or can I just remove it and forget it? I changed the file extension to .exet. I tried to run RootRepeal after turning off all my security. Auto-protect, Spybot, Firewall. Even spam filter. It freezes at initializing. Lots of hard drive activity and lots of memory and 100%CPU. I needed Task Manager to kill it. System: Gateway Win XP SP3 --------------------------------------------------------- Edited: Obsolete

Edited by JoeGons, 24 November 2009 - 07:32 AM.

[extremeboy]

Hello and welcome to WTT!

If you still require help please do the following to see the condition of your machine and also please give a description of any remaining problems or symptoms you may still have please.

Please read the instructions here first: http://forums.whatth...rs_t106388.html

Post the results once done. Any problems/questions you can let me know.

~Extremeboy

[JoeGons]

Hi Extremeboy, Thanks for the reply. I read the guide as instructed by Noviciate. As I said, I am not having any problems. I am hoping someone else has seen this infection before. As I said, I found CPAX20 masquerading as alg.exe in C:\Program Files\Common Files. I changed the extension to .exet and moved it. I can upload it if you like and you can play with it. ONLY Adaware identified it as a “Win32.Backdoor.Agent”. I tried to run RootRepeal (many times) after turning off all my security. Auto-protect, Spybot, Firewall. Even spam filter. It freezes at initializing. No error messages. Lots of hard drive activity and lots of memory and 100% CPU. I needed Task Manager to kill it. Thanks, Joe

[extremeboy]

Please take a new DDS run then and post the logs.

Yes, you can upload that file to the following place:

Open VirSCAN or VirusTotal Online Scanner. If one site is busy or down, try the other

At the top of the page you'll see a box. Lcate the file and upload it. Post the results once done.

Try running GMER...

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

• Please download GMER from one of the following locations, and save it to your desktop:
  
• Main Mirror
  This version will download a randomly named file (Recommended)
• Zip Mirror
  Alternate Zip Mirror 1
  Alternate Zip Mirror 2

This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

• Close any and all open programs, as this process may crash your computer.
• Double click or on your desktop.
  
• When you have done this, close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.

• Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
• Allow the gmer.sys driver to load if asked.
  If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
  

• In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
  
  • Sections
  • IAT/EAT
  • Registry
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show all (Don't miss this one!)
• Click on and wait for the scan to finish.
• If you see a rootkit warning window, click OK.
• Push and save the logfile to your desktop.
• Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

~EB

[JoeGons]

Hi, Thank you for your help. I’m sorry for being so slow. I’ve had a few other things to deal with. (Water line broke and flooded the place. Thank God for the “Shop Vac”.) I have tried and tried to run GMER. I turned off all my startup services and anti virus etc and rebooted. GMER runs for about 10 seconds and I get the old “GMER has encounted a problem and must shut down”. I tried it in Safe mode and the same thing. In addition, when I start GMER, it starts scanning immediately and I cannot uncheck the items you suggested. The Panda Anti Rootkit found nothing. RootkitRevealer 1.71 found some stuff it thought was suspicious but crashed when I tried to save the log. It would not let me copy off the “report screen”. RootAlyzer found nothing on a quick scan but found some stuff in a deep scan but it looks like Daemon hidden entries and my HP Printer Update files. I have figured out what placed the file on the system. I an using a Gateway Profile 5 (all-in-one) that I am very attached to. I know it can’t run Windows 7 but being a curious kind-a-guy I wanted to see what this OEM activation thing was all about. I installed something they call a “Loader” that I wanted to see what it was. Well. Of course, it knew I was not running Win 7 so I really could not go very far. Well, I found a log file in the C: root. ErrLog.txt [11/14/2009 07:54:54] Success Setup started: C:\Program Files\Windows 7 loader\license.exe [11/14/2009 07:54:54] Notice Setup engine version: 8.1.1006.0 [11/14/2009 07:54:54] Notice Product: , version [11/14/2009 07:54:54] Success Language set: Primary = 9, Secondary = 1 [11/14/2009 07:54:54] Success Verify archive integrity [11/14/2009 07:54:54] Skipped Date expiration check [11/14/2009 07:54:54] Skipped Uses expiration check [11/14/2009 07:54:54] Success System requirements check [11/14/2009 07:54:54] Success Include script: _SUF70_Global_Functions.lua [11/14/2009 07:54:54] Notice Start project event: Global Functions [11/14/2009 07:54:54] Success Run project event: Global Functions [11/14/2009 07:54:54] Notice Start project event: On Startup [11/14/2009 07:54:54] Success Run project event: On Startup [11/14/2009 07:54:54] Notice Start project event: On Pre Install [11/14/2009 07:54:54] Success Run project event: On Pre Install [11/14/2009 07:54:54] Success Free space check on drive: C:\ [11/14/2009 07:54:54] Success Install archive file: C:\Program Files\Common Files\alg.exe [11/14/2009 07:54:54] Notice Start project event: On Post Install [11/14/2009 07:54:54] Error Script: On Post Install, Line 28 (1605) [11/14/2009 07:54:54] Success Run project event: On Post Install [11/14/2009 07:54:54] Notice Start project event: On Shutdown [11/14/2009 07:54:54] Success Run project event: On Shutdown [11/14/2009 07:54:54] Notice Exit setup process (Return code: 0) Well that’s it. I tell you all this because you have taken the time to help me and I believe the information may be useful to you. It seems that there is something on “THIS” machine that just does not like RootKit scanners. If I may be so bold, I am attaching a Hijackthis scan. That works!!! I can see nothing really strange there. There is one more thing you can help me with. Is there a good Commercial RootKit scanner that will not crash? Everything seems to be fine so I’ll quit while I’m ahead. Thanks again. Joe

Attached Files

•  hijackthis_Nov_21_2009.zip   3.85KB   574 downloads

[extremeboy]

Hello.

I'm not sure of commercial rootkit scanners and most rootkit scanners require some knowledge of the Operating System itself. Not everything it finds is "bad" or true.

Can you try this rootkit scanner?

Download and Run SysProt Anti-Rootkit

Please download SysProt Antirootkit v1.0.1.0 from one of the links below in this link and save it to your desktop.

• Please extract the SysProt.zip file to your desktop. Unzip/extract the file to its own folder by Right-clicking on it and selecting Extract All.... (Click here for information on how to do this if not sure. Win 2000 users click here.). Follow the prompts to finish extracting it.
• Open the extracted folder and double-click the Sysprot.exe program to run it. (If you are using Vista, pelase right-click and select run as administrator)

• Click on the Log tab.
• Under the Write to log box select all 7 items referring to the diagram below
  
• Now push the button near the bottom.
• Another window shall appear soon. Please be paitent while it collects some information.
• Once the new windows appears, please select the Scan Root Drive option.
• Now press the button.
• It will now begin to scan. Please be paitent until the scan is complete.
• Once the scan is complete, a new window will appear notifying you that is complete.

The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the Sysprot folder and in there you should see the SysProtLog.txt log.

Please post/attach the contents of that log here in your next reply.

[JoeGons]

Hi, Well that one really takes the cake. It completely crashed my computer. The others only crashed themselves. I believe it was trying to log the Kernel Modules. I got the blue screen with a few messages about my BIOS and a Memory dump. This is what Microsoft had to say. Consider BIOS upgrade Microsoft is unable to determine the exact cause of this error. However, this problem was most likely caused by an error in your computer’s random access memory (RAM). RAM is the main internal storage area the computer uses to run programs and store data. During the crash analysis, we noticed the basic input/output system (BIOS) version on this computer does not match the specifications for the central processing unit (CPU), also known as a processor, that is installed on your computer. This can occur when a newer processor is installed on an older system board or older BIOS. Using a BIOS that does not support the installed processor can result in Windows system crashes. Contact your computer manufacturer or motherboard manufacturer for an updated version of BIOS for your computer's processor. Well that’s a lot of bull since the machine has not been modified. Anyway, thanks for trying. Joe

[JoeGons]

I got Sophos to run. It only found two Registry entries to do with Daemon tools and the rest are from a Diskeeper program I tried. I think I'll remove the Diskeeper files since I don't use that anyway. Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc Started logging on 11/23/2009 at 7:10:39 AM User "Owner" on computer "HOME-GATEWAY" Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32 Info: Starting process scan. Info: Starting registry scan. Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\d347prt\Cfg\0Jf40 Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\d347prt\Cfg\0Jf41 Info: Starting disk scan of C: (NTFS). Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\PerfData{9003FBEA-3F7D-11DD-8A6E-00E0B86E48E8}.xml Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\PerfData{3C362F85-10DD-11DB-846A-00E0B86E48E8}.xml Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\PerfData{3FDF1DD2-3C0C-11DD-8A58-00E0B86E48E8}.xml Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{3FDF1DC8-3C0C-11DD-8A58-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{0ED7A9E0-4165-11DD-8A78-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{0ED7A9E4-4165-11DD-8A78-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{0ED7A9E6-4165-11DD-8A78-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{3C362F85-10DD-11DB-846A-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\PerfData{3FDF1DC8-3C0C-11DD-8A58-00E0B86E48E8}.xml Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{3FDF1DCC-3C0C-11DD-8A58-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{3FDF1DCE-3C0C-11DD-8A58-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{3FDF1DD0-3C0C-11DD-8A58-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{3FDF1DD2-3C0C-11DD-8A58-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{7C8E57DB-33CC-11DD-8A2A-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{7C8E57DC-33CC-11DD-8A2A-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{7C8E57DD-33CC-11DD-8A2A-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{7C8E57DE-33CC-11DD-8A2A-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{9003FBE8-3F7D-11DD-8A6E-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{9003FBEA-3F7D-11DD-8A6E-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{901CB126-BFAC-11DD-B7D1-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{901CB12A-BFAC-11DD-B7D1-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{901CB130-BFAC-11DD-B7D1-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{901CB134-BFAC-11DD-B7D1-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\Volume{901CB136-BFAC-11DD-B7D1-00E0B86E48E8}.dat Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\PerfData{3FDF1DCC-3C0C-11DD-8A58-00E0B86E48E8}.xml Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\PerfData{3FDF1DD0-3C0C-11DD-8A58-00E0B86E48E8}.xml Hidden: file C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\XSandbox\Diskeeper ™ Application Launcher\13.0.3.0\2008.12.07T11.56\Virtual\MODIFIED\@PROGRAMFILES@\Diskeeper Corporation\Diskeeper\PerfData{9003FBE8-3F7D-11DD-8A6E-00E0B86E48E8}.xml Info: Starting disk scan of E: (NTFS). Info: Starting disk scan of F: (NTFS). Info: Starting disk scan of G: (NTFS). Info: Starting disk scan of H: (NTFS). Stopped logging on 11/23/2009 at 8:18:01 AM

[JoeGons]

Hi, As I mentioned before, RootkitRevealer will not let me save the scan log. It crashes. I have attached four Screen shots of what it found. If you look at them in sequence, you will see the second item which is very long. Items two, three and four are interesting. Five and six are Daemon and seven is something to do with my HP printer I guess. Thanks Joe

Attached Files

•  RR.zip   178.95KB   561 downloads

[extremeboy]

RootkitRevealer is a very outdated tool is not used much anymore.

--

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link


Please delete the copy of DDS you currently have. Re-download it from one of those links above and save it to your desktop.

Run it and post the logs once done.

With Regards,
Extremeboy

[JoeGons]

Only three objects detected. The first is an empty Key. The other two are because I use my own Firewall and Anti Virus and have disabled those. I have taken no action. What is a "Rogue.Errorsafe". Logs attached. Thanks MBAM Log: Malwarebytes' Anti-Malware 1.41 Database version: 3222 Windows 5.1.2600 Service Pack 3 11/24/2009 9:01:16 AM mbam-log-2009-11-24 (09-01-06).txt Scan type: Quick Scan Objects scanned: 135630 Time elapsed: 6 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{70004d5d-3bf6-4d51-43b2-02fc0002cdb5} (Rogue.Errorsafe) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ------------------------ DDS (Ver_09-11-24.02) - NTFSx86 Run by Owner at 9:01:56.73 on Tue 11/24/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.765.378 [GMT -4:00] AV: Norton AntiVirus *On-access scanning disabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Prevx\prevx.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Prevx\prevx.exe E:\UPHClean\uphclean.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Gateway Utilities\GWInkMonitor.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Owner\Desktop\dds.pif ============== Pseudo HJT Report =============== uStart Page = about:blank uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms} uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/ BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - HP Print Enhancer BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [DeadAIM] rundll32.exe "c:\progra~1\aim\\DeadAIM.ocm",ExportedCheckODLs mRun: [Gateway Ink Monitor] "c:\program files\gateway utilities\GWInkMonitor.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe mRun: [InCD] c:\program files\ahead\incd\InCD.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN mRun: [StartupDelayer] "e:\program files\startup delayer\Startup Launcher GUI.exe" mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe mRun: [TotalRecorderScheduler] "c:\program files\highcriteria\totalrecorder\TotRecSched.exe" mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll LSP: c:\windows\system32\SpamExpertsLSP.dll DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1207703805656 DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109560873765 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210633221781 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39212.5848148148 DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5803/mcfscan.cab TCP: {59202295-CE19-4883-A6D0-90355915FD97} = 196.3.132.153,196.3.132.154 Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Notify: igfxcui - igfxdev.dll AppInit_DLLs: apitrap.dll,c:\windows\system32\SpamExpertsLSP.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll mASetup: {32544452-2241-2343-2313-245211031325} - c:\windows\winlogon.exe ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-3 64288] R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-3-21 22536] R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-3-21 4150840] S1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\xylocser.sys [2007-4-18 55712] S3 42cAA;42cAA;c:\windows\system32\42cAA.sys [2009-11-23 54624] S3 abcderr;abcderr;\??\c:\windows\system32\drivers\abcderr.sys --> c:\windows\system32\drivers\abcderr.sys [?] S3 ELQQIN;ELQQIN;c:\docume~1\owner\locals~1\temp\elqqin.exe --> c:\docume~1\owner\locals~1\temp\ELQQIN.exe [?] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-7-18 8704] S3 EPPSCSIx;EPPSCSI Driver;c:\windows\system32\drivers\eppscan.sys [2005-5-30 105124] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-7-18 3072] S3 FRM;FRM;c:\docume~1\owner\locals~1\temp\frm.exe --> c:\docume~1\owner\locals~1\temp\FRM.exe [?] S3 JJ;JJ;c:\docume~1\owner\locals~1\temp\jj.exe --> c:\docume~1\owner\locals~1\temp\JJ.exe [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232] S3 LCKAQ;LCKAQ;c:\docume~1\owner\locals~1\temp\lckaq.exe --> c:\docume~1\owner\locals~1\temp\LCKAQ.exe [?] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?] S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [2009-7-16 107904] S3 OJMCTAV;OJMCTAV;c:\docume~1\owner\locals~1\temp\ojmctav.exe --> c:\docume~1\owner\locals~1\temp\OJMCTAV.exe [?] S3 QDFSDRV;QDFSDRV;\??\c:\windows\system32\drivers\qdfsdrv.sys --> c:\windows\system32\drivers\qdfsdrv.sys [?] S3 QEDMY;QEDMY;c:\docume~1\owner\locals~1\temp\qedmy.exe --> c:\docume~1\owner\locals~1\temp\QEDMY.exe [?] S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?] S3 rootrepeal1.3.3;rootrepeal1.3.3;c:\windows\system32\drivers\rootrepeal1.3.3.sys [2009-11-17 34816] S3 rootrepeal1.3.4;rootrepeal1.3.4;\??\c:\windows\system32\drivers\rootrepeal1.3.4.sys --> c:\windows\system32\drivers\rootrepeal1.3.4.sys [?] S3 rootrepeal1.3.5.0;rootrepeal1.3.5.0;\??\c:\windows\system32\drivers\rootrepeal1.3.5.0.sys --> c:\windows\system32\drivers\rootrepeal1.3.5.0.sys [?] S3 STV673;STV0673 Camera;c:\windows\system32\drivers\STV673.SYS [2006-4-21 122256] S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\owner\desktop\sysprot\sysprotdrv.sys --> c:\documents and settings\owner\desktop\sysprot\SysProtDrv.sys [?] S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [2009-5-13 33792] S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2005-2-27 15576] =============== Created Last 30 ================ 2009-11-24 12:32:30 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes 2009-11-24 12:32:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-24 12:32:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-24 12:32:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-24 12:32:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-11-24 01:13:18 54624 ----a-w- c:\windows\system32\42cAA.sys 2009-11-24 00:57:54 2335270 ----a-w- c:\windows\system32\d8a25.mht 2009-11-24 00:48:13 102800 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-11-23 11:06:09 0 d-----w- c:\program files\Sophos 2009-11-21 20:41:29 0 d-----w- c:\windows\system32\wbem\Repository 2009-11-19 19:29:02 54156 ---ha-w- c:\windows\QTFont.qfn 2009-11-19 19:29:02 1409 ----a-w- c:\windows\QTFont.for 2009-11-17 19:10:25 34816 ----a-w- c:\windows\system32\drivers\rootrepeal1.3.3.sys 2009-11-11 21:26:56 47 ----a-w- c:\windows\tlknw4.ini 2009-11-10 14:44:55 0 d-----w- c:\docume~1\owner\applic~1\XnView 2009-11-04 20:15:18 0 ---ha-w- C:\aaw7boot.cmd 2009-11-03 19:32:45 15880 ----a-w- c:\windows\system32\lsdelete.exe 2009-11-03 16:36:49 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2009-11-03 15:35:51 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-11-03 14:17:41 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-11-02 21:57:43 151552 ----a-w- c:\windows\system32\SpamExpertsLSP.dll 2009-11-02 21:57:42 0 d-----w- c:\docume~1\owner\applic~1\SpamExperts 2009-11-02 21:57:35 0 d-----w- c:\program files\SpamExperts 2009-10-27 14:46:26 0 d-----w- C:\RSV3 - Portuguese (Brazil) 2009-10-26 16:32:52 1908 ----a-w- c:\windows\diagwrn.xml 2009-10-26 16:32:52 1908 ----a-w- c:\windows\diagerr.xml ==================== Find3M ==================== 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-08 07:47:35 33205 ----a-w- c:\program files\common files\alg.exet 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll 2007-06-19 19:59:38 32 --sha-w- c:\windows\{0EF10811-87A3-49FB-90AC-9AA3A1180091}.dat 2007-02-06 09:44:26 32 --sha-w- c:\windows\{20C5732B-278E-414F-9969-4B1B6F6B1074}.dat 2007-06-18 14:39:32 32 --sha-w- c:\windows\{284C635E-CE35-4DBA-B923-F917A79E3158}.dat 2007-06-19 20:01:19 32 --sha-w- c:\windows\{29F6F205-6349-440F-B858-619E577BE647}.dat 2007-06-19 19:59:38 32 --sha-w- c:\windows\{2F2B7764-4C86-4116-9660-4949D5731615}.dat 2007-06-19 19:59:38 32 --sha-w- c:\windows\{3AB1F9C7-0860-4561-8562-C508918D7781}.dat 2007-06-19 16:41:48 32 --sha-w- c:\windows\{427F2E8C-2B7E-40EF-B90F-4D30B0722D47}.dat 2007-06-19 16:40:57 32 --sha-w- c:\windows\{4D1E3325-E93C-4F2C-8870-5E9EDB834919}.dat 2007-02-06 09:45:12 32 --sha-w- c:\windows\{4FD83288-7971-4F7B-BFA5-7E97B023888A}.dat 2007-06-18 14:38:05 32 --sha-w- c:\windows\{70DD99C6-831E-407B-93D7-7D950103D147}.dat 2007-06-19 14:41:36 32 --sha-w- c:\windows\{72CB7929-2EA1-4B0E-A425-873B8EFAF45F}.dat 2007-06-19 16:42:58 32 --sha-w- c:\windows\{740FE7C4-38FC-4884-8127-11EC56358F6C}.dat 2007-06-19 20:00:18 32 --sha-w- c:\windows\{76AA0AB7-C176-4D3B-8605-32360E9F1526}.dat 2007-06-19 14:42:40 32 --sha-w- c:\windows\{7A5CBF1A-020D-42E5-B460-7DB12206A266}.dat 2007-06-19 20:00:51 32 --sha-w- c:\windows\{800608D0-F8E7-41E4-A412-8AD09184F5CA}.dat 2007-06-18 14:38:05 32 --sha-w- c:\windows\{81A8AABF-795E-4E7F-8B35-FCD83C332C07}.dat 2007-06-19 16:40:57 32 --sha-w- c:\windows\{927C7A09-0157-4E97-9BE9-DB374F207653}.dat 2007-02-06 09:46:12 32 --sha-w- c:\windows\{9C6BC5BD-1D28-452B-96B0-51F812146D6E}.dat 2007-06-18 14:38:56 32 --sha-w- c:\windows\{AE9C34FD-8EA6-459B-8BDF-D598B021A0A3}.dat 2007-02-06 09:44:26 32 --sha-w- c:\windows\{B07660CF-B4A5-4405-9B00-44EE1A375ED1}.dat 2007-06-19 14:40:46 32 --sha-w- c:\windows\{B56DC562-477B-4E50-8E7B-FD3172E841B2}.dat 2007-06-19 14:42:12 32 --sha-w- c:\windows\{BAA44635-64E0-4B25-A1B0-A9C490DCF4D7}.dat 2007-02-06 09:45:47 32 --sha-w- c:\windows\{BBAA2AF7-D61A-44A8-BA3D-EA7749D14EA3}.dat 2007-06-19 14:40:46 32 --sha-w- c:\windows\{BC390267-5611-4E34-B0F9-6E0452330B2D}.dat 2007-02-06 09:44:26 32 --sha-w- c:\windows\{D172EB0A-FEBF-464F-8C36-881A8AEEBC76}.dat 2007-06-18 14:39:59 32 --sha-w- c:\windows\{D2B46CC4-4298-4E90-A23F-547657F2ED3F}.dat 2007-06-19 16:39:18 32 --sha-w- c:\windows\{D4C1D427-33E1-457C-9D60-6D1BDF139805}.dat 2007-06-19 16:40:57 32 --sha-w- c:\windows\{D4CC30C0-80A3-44E6-8395-0A4B35D89746}.dat 2007-06-18 14:38:05 32 --sha-w- c:\windows\{D4DE64AE-BA96-4E9C-B219-5D01904A7E8C}.dat 2007-06-19 14:40:46 32 --sha-w- c:\windows\{DDF7F8C6-0468-4A32-90C0-4CCCB835D1FB}.dat 2007-06-19 16:42:27 32 --sha-w- c:\windows\{F439E292-3949-4A8C-90AA-E0ED6D1108CE}.dat 2007-06-18 14:39:32 32 --sha-w- c:\windows\system32\{02AC961C-23ED-4F7B-A4EF-F84BC0600B68}.dat 2007-06-19 14:41:36 32 --sha-w- c:\windows\system32\{0BAD9E4E-3EF2-4909-9F07-57E9867440DA}.dat 2007-06-19 16:40:57 32 --sha-w- c:\windows\system32\{0CD7FDC8-662A-4E61-BCD1-59A21506A505}.dat 2007-06-19 14:42:40 32 --sha-w- c:\windows\system32\{12D11B55-6089-4496-B7A0-FF6A12A32C25}.dat 2007-06-19 16:40:57 32 --sha-w- c:\windows\system32\{206B7165-8FD4-4947-8376-B6CF436D9649}.dat 2007-06-19 14:40:46 32 --sha-w- c:\windows\system32\{27477B90-8E61-4FCB-921F-B277A6E24760}.dat 2007-06-19 16:42:27 32 --sha-w- c:\windows\system32\{308D7C35-E406-406B-89E1-86B5528AF6DC}.dat 2007-06-19 14:42:12 32 --sha-w- c:\windows\system32\{34CB3D91-8727-4750-9772-CC8829D3C34A}.dat 2007-02-06 09:46:12 32 --sha-w- c:\windows\system32\{3535C4DF-B280-4D45-8581-52867749979D}.dat 2007-06-19 20:00:51 32 --sha-w- c:\windows\system32\{360E0E53-0260-4E6F-94C4-610F544830D2}.dat 2007-02-06 09:45:47 32 --sha-w- c:\windows\system32\{3E3F97FD-92DB-40EB-857C-FDE131CE41A3}.dat 2007-06-19 16:39:18 32 --sha-w- c:\windows\system32\{3F834989-B152-4991-9F9C-8D042E9EB505}.dat 2007-06-19 14:40:46 32 --sha-w- c:\windows\system32\{54AE8BFC-44BF-446A-BD77-45CF251D4C2F}.dat 2007-06-18 14:38:05 32 --sha-w- c:\windows\system32\{68E13551-3B92-43FB-A9C7-BD7297BE4F93}.dat 2007-02-06 09:44:26 32 --sha-w- c:\windows\system32\{6B1FA805-43EC-4BD6-8724-C59849ED278A}.dat 2007-02-06 09:44:26 32 --sha-w- c:\windows\system32\{73B58090-05BD-4455-BE49-0E3509D13A9A}.dat 2007-06-18 14:39:59 32 --sha-w- c:\windows\system32\{8CB819E1-8293-4656-90B4-011ADF4A33DB}.dat 2007-06-19 19:59:38 32 --sha-w- c:\windows\system32\{8DF1122C-E7DE-4C30-B0DD-B87809D84ED8}.dat 2007-06-18 14:38:05 32 --sha-w- c:\windows\system32\{950FD490-E5BA-4C79-854B-A1B09FC8EC97}.dat 2007-06-18 14:38:56 32 --sha-w- c:\windows\system32\{9D5C346F-3D80-42B9-8D3F-0C2F182E2F9D}.dat 2007-06-19 16:42:58 32 --sha-w- c:\windows\system32\{9ED41E35-F8AB-4F3E-8B8D-E70935C4B3A3}.dat 2007-06-19 19:59:38 32 --sha-w- c:\windows\system32\{9FF8B0DF-84E5-4DC6-9424-193E66D1C21E}.dat 2007-06-19 20:00:18 32 --sha-w- c:\windows\system32\{B2F6F586-F122-40AF-A96C-86CEE7A3E55B}.dat 2007-02-06 09:45:12 32 --sha-w- c:\windows\system32\{B587DFF3-4AA9-4929-B5EC-2D1F17114B04}.dat 2007-06-19 14:40:46 32 --sha-w- c:\windows\system32\{B91D95DA-8799-4605-A8FA-62CB71E7FD5A}.dat 2007-06-19 20:01:19 32 --sha-w- c:\windows\system32\{CA3D611C-0E96-4FB7-BE2E-745F5E65EC5C}.dat 2007-06-19 16:40:57 32 --sha-w- c:\windows\system32\{E2D58C15-BBE6-4511-B994-C1C17E2AC9F5}.dat 2007-06-19 19:59:38 32 --sha-w- c:\windows\system32\{F1699A0E-698C-46CD-8C4A-5B4D54E8359A}.dat 2007-06-18 14:38:05 32 --sha-w- c:\windows\system32\{F53CCA35-8A86-4D42-9700-76E498CA6FDD}.dat 2007-06-19 16:41:48 32 --sha-w- c:\windows\system32\{F73A793F-AC00-4B0E-9820-378E64BD44B6}.dat 2007-02-06 09:44:26 32 --sha-w- c:\windows\system32\{FAB538C2-F03A-43FD-8220-CB73DF4EB3B3}.dat 2008-10-20 12:17:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102020081021\index.dat ============= FINISH: 9:02:42.60 ===============

Attached Files

•  Attach.zip   5.25KB   705 downloads

[extremeboy]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

[JoeGons]

Hi, Thank you for your time and patience. I have downloaded Combo. I read the instructions carefully and proceeded to start a scan and stopped. It occurred to me that I did not know what this program would really do. Exactly what (or where) does it scan? There are several warnings about running this without supervision. My question is, “Did you see something in the logs I sent that you think should be removed?” It would be of some comfort to me if I knew exactly what I was doing. You have been very generous with your time in an effort to help me. I do appreciate that very much. I am not comfortable unleashing Combo on my system not knowing what it will do. I, like most of us, have a few things on the computer that are harmless but never-the-less are flagged by security programs. (Even “Joke” files.) I really don’t want my archives messed with. Norton does that enough!!! I am only interested in whether there is a nasty on my “Operating System”. Please let me know what we are looking for. Thanks again, Joe

[extremeboy]

Hello.

Yes there are a few things in the log which we can remove. Rest assured that Combofix was not attended for private uses but if you are guided and follow the instructions correctly then everything should go fine. Combofix has been used many times before and is a safe tool to use under guidance otherwise we wouldn't be telling you to run tools that are unsafe.

ComboFix is an extremely powerful tool and you should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

[JoeGons]

Well, I ran Combo.
I apologize for my caution.
My Archives were not ravaged.
The Log is attached.
I got really scared when it said “Deleting Desktop Folder”.
Everything was there after reboot.
What a relief!!


ComboFix 09-11-25.01 - Owner 11/25/2009 17:14.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.765.361 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ErrLog.txt
c:\windows\desktop
c:\windows\desktop\Instal~1.lnk
c:\windows\system32\AutoRun.inf

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-25 16:03 . 2009-11-25 16:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-25 12:49 . 2009-11-25 14:15 -------- d-----w- C:\Restore atapi.sys
2009-11-24 12:33 . 2009-11-24 12:33 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-24 12:32 . 2009-11-24 12:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-24 12:32 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 12:32 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 12:32 . 2009-11-24 12:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 12:32 . 2009-11-24 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-24 01:13 . 2009-11-24 01:13 54624 ----a-w- c:\windows\system32\42cAA.sys
2009-11-23 11:06 . 2009-11-23 11:06 -------- d-----w- c:\program files\Sophos
2009-11-21 20:41 . 2009-11-21 20:41 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-17 19:10 . 2009-11-17 19:10 34816 ----a-w- c:\windows\system32\drivers\rootrepeal1.3.3.sys
2009-11-17 16:08 . 2009-11-17 16:08 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-11-17 16:02 . 2009-11-17 16:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-17 16:02 . 2009-11-20 19:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2009-11-16 23:06 . 2009-11-18 23:17 -------- d-----w- c:\program files\ERUNT
2009-11-16 15:34 . 2009-11-16 15:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\G DATA
2009-11-10 14:44 . 2009-11-10 14:44 -------- d-----w- c:\documents and settings\Owner\Application Data\XnView
2009-11-04 20:15 . 2009-11-04 20:15 0 ---ha-w- C:\aaw7boot.cmd
2009-11-03 20:56 . 2009-11-03 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-03 20:55 . 2009-11-03 20:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-03 19:32 . 2009-11-03 16:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-03 16:35 . 2009-11-03 16:35 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-03 16:35 . 2009-11-03 16:35 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-03 16:35 . 2009-11-03 16:35 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-03 16:35 . 2009-11-03 16:35 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-03 16:35 . 2009-11-03 16:35 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-03 15:35 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-03 14:17 . 2009-11-03 14:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-03 14:17 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-02 21:57 . 2007-12-04 08:59 151552 ----a-w- c:\windows\system32\SpamExpertsLSP.dll
2009-11-02 21:57 . 2009-11-25 21:02 -------- d-----w- c:\documents and settings\Owner\Application Data\SpamExperts
2009-11-02 21:57 . 2009-11-02 21:57 -------- d-----w- c:\program files\SpamExperts
2009-11-02 00:33 . 2009-11-02 11:49 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-10-27 14:46 . 2009-10-27 14:48 -------- d-----w- C:\RSV3 - Portuguese (Brazil)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 21:09 . 2009-05-07 00:03 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-11-24 19:16 . 2005-03-04 13:11 -------- d-----w- c:\program files\PHOTOED
2009-11-22 14:16 . 2005-02-27 15:51 -------- d-----w- c:\program files\Common Files\Lanovation
2009-11-22 14:15 . 2005-02-27 15:31 -------- d-----w- c:\program files\Common Files\New Boundary
2009-11-21 23:30 . 2008-02-06 21:47 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-19 16:20 . 2005-02-27 15:42 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-16 02:21 . 2008-10-28 15:51 -------- d-----w- c:\documents and settings\Owner\Application Data\MyHeritage
2009-11-15 17:39 . 2007-07-19 13:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 21:04 . 2009-06-13 20:33 -------- d-----w- c:\program files\Norton AntiVirus
2009-11-09 15:21 . 2006-05-04 20:43 -------- d-----w- c:\program files\7-Zip
2009-11-03 14:17 . 2008-01-30 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-03 14:17 . 2005-09-24 15:43 -------- d-----w- c:\program files\Lavasoft
2009-11-03 12:05 . 2005-02-28 02:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-27 00:37 . 2009-03-21 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-24 21:27 . 2009-10-24 21:27 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000009000002i\switch.exe
2009-10-23 20:34 . 2009-10-23 20:34 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000008f00003i\mp3enc.exe
2009-10-23 20:34 . 2009-10-23 20:34 7680 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\Switch Sound File Converter\4000001e00002i\mp3el.exe
2009-10-23 19:39 . 2009-09-04 21:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Thinstall
2009-10-15 14:12 . 2009-01-29 02:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead
2009-09-30 11:41 . 2006-01-13 14:46 -------- d-----w- c:\program files\FinePixViewer
2009-09-19 23:55 . 2009-09-19 23:55 7168 ----a-w- c:\documents and settings\Owner\Application Data\Thinstall\PowerISO\1000000500002i\regsvr32.exe
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 07:47 . 2009-09-08 07:47 33205 ----a-w- c:\program files\Common Files\alg.exet
2009-09-07 14:35 . 2009-09-07 14:35 9454 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{AFDFC350-C142-4790-BE12-8357AECD028F}\_6FEFF9B68218417F98F549.exe
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{0EF10811-87A3-49FB-90AC-9AA3A1180091}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{20C5732B-278E-414F-9969-4B1B6F6B1074}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\{284C635E-CE35-4DBA-B923-F917A79E3158}.dat
2007-06-19 20:01 . 2007-06-19 20:01 32 --sha-w- c:\windows\{29F6F205-6349-440F-B858-619E577BE647}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{2F2B7764-4C86-4116-9660-4949D5731615}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\{3AB1F9C7-0860-4561-8562-C508918D7781}.dat
2007-06-19 16:41 . 2007-06-19 16:41 32 --sha-w- c:\windows\{427F2E8C-2B7E-40EF-B90F-4D30B0722D47}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{4D1E3325-E93C-4F2C-8870-5E9EDB834919}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\{4FD83288-7971-4F7B-BFA5-7E97B023888A}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{70DD99C6-831E-407B-93D7-7D950103D147}.dat
2007-06-19 14:41 . 2007-06-19 14:41 32 --sha-w- c:\windows\{72CB7929-2EA1-4B0E-A425-873B8EFAF45F}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\{740FE7C4-38FC-4884-8127-11EC56358F6C}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\{76AA0AB7-C176-4D3B-8605-32360E9F1526}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\{7A5CBF1A-020D-42E5-B460-7DB12206A266}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\{800608D0-F8E7-41E4-A412-8AD09184F5CA}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{81A8AABF-795E-4E7F-8B35-FCD83C332C07}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{927C7A09-0157-4E97-9BE9-DB374F207653}.dat
2007-02-06 09:46 . 2007-02-06 09:46 32 --sha-w- c:\windows\{9C6BC5BD-1D28-452B-96B0-51F812146D6E}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{AE9C34FD-8EA6-459B-8BDF-D598B021A0A3}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{B07660CF-B4A5-4405-9B00-44EE1A375ED1}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{B56DC562-477B-4E50-8E7B-FD3172E841B2}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\{BAA44635-64E0-4B25-A1B0-A9C490DCF4D7}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\{BBAA2AF7-D61A-44A8-BA3D-EA7749D14EA3}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{BC390267-5611-4E34-B0F9-6E0452330B2D}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\{D172EB0A-FEBF-464F-8C36-881A8AEEBC76}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\{D2B46CC4-4298-4E90-A23F-547657F2ED3F}.dat
2007-06-19 16:39 . 2007-06-19 16:39 32 --sha-w- c:\windows\{D4C1D427-33E1-457C-9D60-6D1BDF139805}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\{D4CC30C0-80A3-44E6-8395-0A4B35D89746}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\{D4DE64AE-BA96-4E9C-B219-5D01904A7E8C}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\{DDF7F8C6-0468-4A32-90C0-4CCCB835D1FB}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\{F439E292-3949-4A8C-90AA-E0ED6D1108CE}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\system32\{02AC961C-23ED-4F7B-A4EF-F84BC0600B68}.dat
2007-06-19 14:41 . 2007-06-19 14:41 32 --sha-w- c:\windows\system32\{0BAD9E4E-3EF2-4909-9F07-57E9867440DA}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{0CD7FDC8-662A-4E61-BCD1-59A21506A505}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\system32\{12D11B55-6089-4496-B7A0-FF6A12A32C25}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{206B7165-8FD4-4947-8376-B6CF436D9649}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{27477B90-8E61-4FCB-921F-B277A6E24760}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\system32\{308D7C35-E406-406B-89E1-86B5528AF6DC}.dat
2007-06-19 14:42 . 2007-06-19 14:42 32 --sha-w- c:\windows\system32\{34CB3D91-8727-4750-9772-CC8829D3C34A}.dat
2007-02-06 09:46 . 2007-02-06 09:46 32 --sha-w- c:\windows\system32\{3535C4DF-B280-4D45-8581-52867749979D}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\system32\{360E0E53-0260-4E6F-94C4-610F544830D2}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\system32\{3E3F97FD-92DB-40EB-857C-FDE131CE41A3}.dat
2007-06-19 16:39 . 2007-06-19 16:39 32 --sha-w- c:\windows\system32\{3F834989-B152-4991-9F9C-8D042E9EB505}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{54AE8BFC-44BF-446A-BD77-45CF251D4C2F}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{68E13551-3B92-43FB-A9C7-BD7297BE4F93}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{6B1FA805-43EC-4BD6-8724-C59849ED278A}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{73B58090-05BD-4455-BE49-0E3509D13A9A}.dat
2007-06-18 14:39 . 2007-06-18 14:39 32 --sha-w- c:\windows\system32\{8CB819E1-8293-4656-90B4-011ADF4A33DB}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{8DF1122C-E7DE-4C30-B0DD-B87809D84ED8}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{950FD490-E5BA-4C79-854B-A1B09FC8EC97}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{9D5C346F-3D80-42B9-8D3F-0C2F182E2F9D}.dat
2007-06-19 16:42 . 2007-06-19 16:42 32 --sha-w- c:\windows\system32\{9ED41E35-F8AB-4F3E-8B8D-E70935C4B3A3}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{9FF8B0DF-84E5-4DC6-9424-193E66D1C21E}.dat
2007-06-19 20:00 . 2007-06-19 20:00 32 --sha-w- c:\windows\system32\{B2F6F586-F122-40AF-A96C-86CEE7A3E55B}.dat
2007-02-06 09:45 . 2007-02-06 09:45 32 --sha-w- c:\windows\system32\{B587DFF3-4AA9-4929-B5EC-2D1F17114B04}.dat
2007-06-19 14:40 . 2007-06-19 14:40 32 --sha-w- c:\windows\system32\{B91D95DA-8799-4605-A8FA-62CB71E7FD5A}.dat
2007-06-19 20:01 . 2007-06-19 20:01 32 --sha-w- c:\windows\system32\{CA3D611C-0E96-4FB7-BE2E-745F5E65EC5C}.dat
2007-06-19 16:40 . 2007-06-19 16:40 32 --sha-w- c:\windows\system32\{E2D58C15-BBE6-4511-B994-C1C17E2AC9F5}.dat
2007-06-19 19:59 . 2007-06-19 19:59 32 --sha-w- c:\windows\system32\{F1699A0E-698C-46CD-8C4A-5B4D54E8359A}.dat
2007-06-18 14:38 . 2007-06-18 14:38 32 --sha-w- c:\windows\system32\{F53CCA35-8A86-4D42-9700-76E498CA6FDD}.dat
2007-06-19 16:41 . 2007-06-19 16:41 32 --sha-w- c:\windows\system32\{F73A793F-AC00-4B0E-9820-378E64BD44B6}.dat
2007-02-06 09:44 . 2007-02-06 09:44 32 --sha-w- c:\windows\system32\{FAB538C2-F03A-43FD-8220-CB73DF4EB3B3}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-05 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2003-02-24 266313]
"Gateway Ink Monitor"="c:\program files\Gateway Utilities\GWInkMonitor.exe" [2003-06-25 303180]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-04 50688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"StartupDelayer"="e:\program files\Startup Delayer\Startup Launcher GUI.exe" [2004-03-01 45056]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-06-13 95960]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2005-10-13 81920]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-02-27 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2008-02-21 152952]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-1-18 282624]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Xenocode\\XSandbox\\Diskeeper ™ Application Launcher\\13.0.3.0\\2008.12.07T11.56\\Virtual\\STUBEXE\\@PROGRAMFILES@\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=
"e:\\Portable Diskeeper Pro Premier 2009 V.13.0 Build 835\\Virtual\\STUBEXE\\@PROGRAMFILES@\\Diskeeper Corporation\\Diskeeper\\DkService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/3/2009 11:35 AM 64288]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [3/21/2009 6:16 PM 22536]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [3/21/2009 6:16 PM 4150840]
S1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\xylocser.sys [4/18/2007 8:18 PM 55712]
S3 42cAA;42cAA;c:\windows\system32\42cAA.sys [11/23/2009 9:13 PM 54624]
S3 abcderr;abcderr;\??\c:\windows\system32\drivers\abcderr.sys --> c:\windows\system32\drivers\abcderr.sys [?]
S3 ELQQIN;ELQQIN;c:\docume~1\Owner\LOCALS~1\Temp\ELQQIN.exe --> c:\docume~1\Owner\LOCALS~1\Temp\ELQQIN.exe [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/18/2009 2:39 PM 8704]
S3 EPPSCSIx;EPPSCSI Driver;c:\windows\system32\drivers\eppscan.sys [5/30/2005 2:32 PM 105124]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/18/2009 2:39 PM 3072]
S3 FRM;FRM;c:\docume~1\Owner\LOCALS~1\Temp\FRM.exe --> c:\docume~1\Owner\LOCALS~1\Temp\FRM.exe [?]
S3 JJ;JJ;c:\docume~1\Owner\LOCALS~1\Temp\JJ.exe --> c:\docume~1\Owner\LOCALS~1\Temp\JJ.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1179232]
S3 LCKAQ;LCKAQ;c:\docume~1\Owner\LOCALS~1\Temp\LCKAQ.exe --> c:\docume~1\Owner\LOCALS~1\Temp\LCKAQ.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [7/16/2009 10:28 AM 107904]
S3 OJMCTAV;OJMCTAV;c:\docume~1\Owner\LOCALS~1\Temp\OJMCTAV.exe --> c:\docume~1\Owner\LOCALS~1\Temp\OJMCTAV.exe [?]
S3 QDFSDRV;QDFSDRV;\??\c:\windows\system32\drivers\qdfsdrv.sys --> c:\windows\system32\drivers\qdfsdrv.sys [?]
S3 QEDMY;QEDMY;c:\docume~1\Owner\LOCALS~1\Temp\QEDMY.exe --> c:\docume~1\Owner\LOCALS~1\Temp\QEDMY.exe [?]
S3 STV673;STV0673 Camera;c:\windows\system32\drivers\STV673.SYS [4/21/2006 5:00 PM 122256]
S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\Owner\Desktop\SysProt\SysProtDrv.sys --> c:\documents and settings\Owner\Desktop\SysProt\SysProtDrv.sys [?]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [5/13/2009 10:37 AM 33792]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2/27/2005 1:26 PM 15576]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{32544452-2241-2343-2313-245211031325}]
c:\windows\winlogon.exe
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 21:13]

2009-11-23 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-10-09 22:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
LSP: c:\windows\system32\SpamExpertsLSP.dll
TCP: {59202295-CE19-4883-A6D0-90355915FD97} = 196.3.132.153,196.3.132.154
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-Free Rent or Buy Calculator_is1 - c:\wheatworks\FreeROB\unins000.exe
AddRemove-Gateway Drivers and Applications Recovery - c:\program files\Gateway\HPA\GWMenu.exe UNINSTALL
AddRemove-Gateway IE Customizations - c:\program files\\Gateway\IECustom\IEProj.exe UNINSTALL
AddRemove-Panda ActiveScan - c:\windows\system32\ASUninst.exe Panda ActiveScan
AddRemove-QcDrv - c:\program files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE UNINSTALL REMOVEPROMPT
AddRemove-Sophos-AntiRootkit - c:\program files\Sophos\Sophos Anti-Rootkit\helper.exe remove
AddRemove-Tweak UI 2.10 - c:\windows\System32\mshta.exe res://c:\windows\System32\TweakUI.exe/uninstall.hta



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 17:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x836A60B0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf750cf28
\Driver\ACPI -> ACPI.sys @ 0xf7429cb8
\Driver\atapi -> 0x836a60b0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,1c,d4,ea,a9,f7,82,44,8c,28,a4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,1c,d4,ea,a9,f7,82,44,8c,28,a4,\

[HKEY_USERS\S-1-5-21-220523388-573735546-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1216)
c:\windows\system32\SpamExpertsLSP.dll

- - - - - - - > 'explorer.exe'(2072)
c:\windows\system32\WININET.dll
c:\program files\Gateway Utilities\inkpeek.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton AntiVirus\navapsvc.exe
c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
c:\program files\Norton AntiVirus\SAVScan.exe
c:\windows\System32\snmp.exe
e:\uphclean\uphclean.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Messenger\msmsgs.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Symantec\LiveUpdate\LuComServer_3_4.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-11-25 17:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-25 21:50

Pre-Run: 1,692,794,880 bytes free
Post-Run: 4,874,072,064 bytes free

- - End Of File - - 5D9D4EF9ECDB0C0D05717983715B715F